Skip site navigation (1)Skip section navigation (2)

FreeBSD Manual Pages


home | help
auditd(1M)		System Administration Commands		    auditd(1M)

       auditd -	audit daemon


       The audit daemon, auditd, controls the generation and location of audit
       trail files and the generation of syslog	messages based on the  defini-
       tions in	audit_control(4). If auditing is enabled, auditd reads the au-
       dit_control(4) file to do the following:

	 o  reads the path to a	library	module for realtime conversion of  au-
	    dit	data into syslog messages;

	 o  reads other	parameters specific to the selected plugin or plugins;

	 o  obtains  a list of directories into	which audit files can be writ-

	 o  obtains the	percentage limit for how much space to reserve on each
	    filesystem before changing to the next directory.

       audit(1M) is used to control auditd. It can cause auditd	to:

	 o  close the current audit file and open a new	one;

	 o  close  the current audit file, re-read /etc/security/audit_control
	    and	open a new audit file;

	 o  close the audit trail and terminate	auditing.

   Auditing Conditions
       The audit daemon	invokes	the program audit_warn(1M) under the following
       conditions with the indicated options:

       audit_warn soft pathname

	   The	file system upon which pathname	resides	has exceeded the mini-
	   mum free space limit	defined	in audit_control(4). A new audit trail
	   has been opened on another file system.

       audit_warn allsoft

	   All available file systems have been	filled beyond the minimum free
	   space limit.	A new audit trail has been opened anyway.

       audit_warn hard pathname

	   The file system upon	which pathname resides has filled or for  some
	   reason become unavailable. A	new audit trail	has been opened	on an-
	   other file system.

       audit_warn allhard count

	   All available file systems have been	filled or for some reason  be-
	   come	 unavailable.  The  audit  daemon will repeat this call	to au-
	   dit_warn every twenty seconds until space becomes available.	 count
	   is  the  number  of times that audit_warn has been called since the
	   problem arose.

       audit_warn ebusy

	   There is already an audit daemon running.

       audit_warn tmpfile

	   The file /etc/security/audit/audit_tmp exists, indicating  a	 fatal

       audit_warn nostart

	   The internal	system audit condition is AUC_FCHDONE. Auditing	cannot
	   be started without rebooting	the system.

       audit_warn auditoff

	   The internal	system audit condition has  been  changed  to  not  be
	   AUC_AUDITING	 by  someone  other than the audit daemon. This	causes
	   the audit daemon to exit.

       audit_warn postsigterm

	   An error occurred during the	orderly	shutdown of the	auditing  sys-

       audit_warn getacdir

	   There  is  a	 problem  getting  the	directory list from /etc/secu-

	   The audit daemon will hang in a  sleep  loop	 until	this  file  is



       See attributes(5) for descriptions of the following attributes:

       |      ATTRIBUTE	TYPE	     |	    ATTRIBUTE VALUE	   |
       |Availability		     |SUNWcsu			   |
       |Interface Stability	     |Evolving			   |

       audit(1M),  audit_warn(1M),  bsmconv(1M),  praudit(1M), auditon(2), au-
       ditsvc(2), audit.log(4),	audit_control(4), audit_data(4), attributes(5)

       The functionality described in this man page is available only  if  the
       Basic  Security Module (BSM) has	been enabled. See bsmconv(1M) for more

       auditd is loaded	in the global zone at boot time	 if  auditing  is  en-
       abled. See bsmconv(1M).

       If  the audit policy perzone is set, auditd runs	in each	zone, starting
       automatically when the local zone boots.	If a zone is running when  the
       perzone	policy	is  set,  auditing  must  be started manually in local
       zones. It is not	necessary to reboot the	system or the  local  zone  to
       start   auditing	  in   a  local	 zone.	auditd	can  be	 started  with
       "/usr/sbin/audit	-s" and	will start automatically with future boots  of
       the zone.

       When  auditd  runs in a local zone, the configuration is	taken from the
       local  zone's  /etc/security  directory's  files:  audit_control,   au-
       dit_class, audit_user, audit_startup, and audit_event.

SunOS 5.10			  26 May 2004			    auditd(1M)


Want to link to this manual page? Use this URL:

home | help